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Alexandre Grothendieck, Recoltes et Semailles 



0. Introduction. 



A network is a set N such that for each elements u, v of N, there exists 
a set Hom{u,v) called the set of connections between u and v. In practice, 
the set N can be a set of peoples, and Hom{u,v), the communications tools 
used by u and v to exchange data. Remark that we do not assume that N is 
a category, that is the Chasles relation is not verified by the elements of the 
sets Hom{u,v). The network that we are going to consider here is a network 
whose users are computers, and the routes between two users u and v are wires 
or wireless communication between u and v. The duality principle (The Ying- 
Yang principle) shows that the existence of a network N implies the existence 
of a different network N' (this is equivalent to the fact that the set of elements 
of N is always defined as a subset of a bigger set) whose users are potential 
opponents to the users of N . We assume that each network verifies the life 
principle, that is its users or manager enforce its characteristics or equivalently 
reduce its entropy. This implies that the characteristic of the networks are time 
dependent. To enforce characteristics of a network, its users must develop a 
science which transforms elements outside of the network for its use. On this 
purpose they have to develop a graphology to represent the objects of their 
study. Different networks need to develop themselves, this induces concurrency, 
and justify the following assertion of Jean Paul Sartre: "Devil are the others", 
this can also be compared to the Indian Maya philosophy. The concurrency 
between different networks implies that the results of the knowledge that they 
develop is often submitted to a secret law. This gives rise to cryptography. 

Cryptography is the science of secrecy of communications, that is, the study 
of secret (crypto) writing (graphy) which may be use to: 
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conceal the meaning of a message (plaintext) for all except for the sender 
and the receiver. 

Verify the correctness of a message (authentication). 
Cryptography appeared in the earlier human societies: 
Ancient Egyptians encrypted their hieroglyphic. 
Julius Caesar created the Caesar cipher 

Geoffrey Chauccy, an English author included many ciphers in its work. 
The clay of Phaistos were enciphered,... 

The development of technologies has generated new types of encryption, like 

the Jefferson machine. 

Electricity and electronic, have introduced a new language: the binary lan- 
guage nowadays used to encrypt texts typed with computers. The widespread 
development of computer science and internet has provided the need of scciirity 
for data exchanged with these techniques. In the recent news, we have learnt 
about crimes perpetrated by hackers. 

A language E used to write a text is a finite set. A text is an ordered 
collection of words, that is a collection of ordered finite subsets of E. Let P{E) 
be the set whose elements are subsets of E. An encryption map is a map 
h : P{E) — > P{E'). Note that the encrypted text can be written in a different 
alphabet. In practice the encryption map is described by a key or clue called the 
cipher, and the elements of its images are called the ciphertexts. An user uses a 
key L, that he applies to the plaintext P to obtain the ciphertext E{L, P) = C. 
The receiver receives the ciphertext C that he decrypts with the key V , and 
obtain D{L',C) = P. 

There exists many types of ciphers which can be divided in two categories: 

Symmetric ciphers: these are ciphers for which the knowledge of the key used 
for encryption is equivalent to the knowledge of the key used for decryption, 
examples of symmetric ciphers are substitutions ciphers like the Caesar cipher, 
transposition ciphers. 

Asymmetric ciphers: these are ciphers for which the knowledge of the key 
used for the encryption does not imply the knowledge of the key used for the 
decryption like the R.S.A cipher, the Diflie-Hellman algorithm. They are used to 
define authentication protocols, digital signatures,... The first method of public 
encryption appeared in a classified document published by the Communications- 
Electronics Security group, the Britain's coimterpart to N.S.A. 

In public encryption, each user U has two keys: its private key LIj and its 
public key Lfj, the key Lfj is known by the others users but not the key L\j. 
The secrecy of this protocol is due to the fact that it is infeasible to compute 

with Ly. To send a message P toV, U calculates E{P, Ly) = C, to decrypt 
the ciphertext C, V calculates D{Ly,C) = P. In practice asymmetric ciphers 
are used to exchange symmetric keys between users, since the algorithms which 
define these ciphers are slow. 

A symmetric cipher must encrypt block of large size of the plaintext if the 
length of the plaintext is big, otherwise the statistical properties (like the fre- 
quency of letters) of the language used to write the plaintext is reflected in 
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the ciphcrtcxt. It is for these reasons that modern ciphers hke D.E.S, A.E.S 
symmetric ciphers are apphed to blocks of at least 64 bits. These ciphers are 
often the composition of many rounds, each round is roughly the composition of 
the following operations: Permutation of the entries of the round, add a round 
key, substitution of bits using an ^-matrix, the application of a linear map,... 
These operations which compose each round have to be elementary to be easily 
implemented. 

The plaintext block used in modern encryption is often endowed with an 
algebraic structure like in A.E.S encryption, where plaintexts block are identified 
with elements of a finite field. In this paper, we study plaintexts block endowed 
with the structure of a finite algebraic variety or the structure of a finite scheme. 

The ciphertexts must resist to cryptanalysis, which is the science of methods 
of transforming an unintelligible text, the ciphertext to an intelligible text: the 
plaintext. This is the science used by attackers. There exists many different 
types of attacks: 

Brute force attack: The opponent knows the ciphertext and the algorithm, 

he tries every keys to find the plaintext. 

Chosen plaintext attacks: the opponent knows the ciphertext, the algorithm, 
and he can generates ciphertexts by inserting plaintexts in the encryption ma- 
chine 

Chosen ciphertext attacks, the opponent knows the ciphertext, the algo- 
rithm, and he can generates plaintexts by decrypting ciphertexts. 

The main challenge in the organization of a network is the distribution of 

keys: suppose that two users U and V of a network N want to exchange en- 
crypted data, how the keys needed for encryption can be provided to U and 
V with secrecy. There exists many solutions to this problem, like the physical 

distribution if the users are not physically far each other, they can use of a third 
part called the key distribution center, another solution is public encryption. 

The purpose of this paper is to study the geometric properties of cryptogra- 
phy. Differential and algebraic geometry are divided in two fields: 

The local study, in differential geometry, this is the study of the properties 
of differentiable maps of iR", and in algebraic geometry it is the theory of 
commutative rings. 

The global stiidy, this is the study of geometric objects which are obtained 
by gluing local objects. 

Cryptography can be thought as a geometry for which the local study is 
the study of encryption and decryption maps, the global study is the study of 
encrypted data conveyed in a network, that is link to link encryption, key distri- 
bution center,... The main purpose of this paper is to study the global geometry 
defined by cryptography. The natural framework for this study is the theory of 
sites, these are categories endowed with a topology. We can endow naturally 
a network with a topology, and interpret the global geometry of a network in 
terms of torsors and higher non commutative cohomology objects defined on 
this site. This point of view allow us to describe the key distribution center as 
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an initial object in a category. And is well adapted for public encryption. The 
public and private keys are defined by a flat connection over a torsor, or a flat 
connective structure over an n-gerbe. We study also statistical properties of 
gerbe encryption. 

Plan. 

0. Introduction. 

1. Topology of categories and torsors. 
Topology defined by a network. 

The groupoid associated to a network. 
The classifying cocycle associated to a torsor. 
Contraction of Torsor. 
The DifRe-Hellman torsor. 

1.2. Connection on torsors and cncrypton. 
Generalization of the Diffie-Hellman torsor. 
Meet in the middle attack. 

The Grothendieck group of the equivalence classes of torsors defined on a 
network. 

1.3. Link to Link encryption and torsors. 

L4. Key distribution center and initial object. 
Implementation of link to link encryption. 
II. Non Abelian cohomology and end to end encryption. 
II. 1. Gcrbc and encryption. 

A protocol to define and to end encryption and link to link encryption with 
a gerbe. 

Meet in the Middle attack of encryption defined by gerbes. 

11. 2. Connective structure on gerbe and public key encryption. 

11.3. Non commutative cohomology and probabilistic theory of ciphers. 

The entropy cocycle. 

Higher non Abelian cohomology and end to end encryption. 

Encryption with a tower of torsors. 

Attack of an encryption with a tower of torsors. 

Public key encryption and Tower of torsors. 

Bibliography. 

I. Topology of categories and torsors. 

In this part we present the notion of Grothendieck topology that we shall 
use to define encryption protocols in a network. 

Definition 1. 

A network is a finite oriented graph. 
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Definitions 2. 

Let be a category, a sieve is a subclass N of the class of objects Ob{E) 
of E such that if / : X — > y is a map of such that Y G N, then X G N. 

Let f : E' ^ E he a functor, and R a sieve of we denote by , the sieve 
defined by = {X e Ob{E') : f{X) € N}. 

For each object T of E, we denote by St, the category whose objects are 
arrows u : U T, a morphism of Et between ui : Ui T, and U2 ■ U2 —>■ T, 
is a map h : Ui ^ U2 such that U2 o h = ui. 

Definition 3. 

A topology on E is defined as follows: to each object T of E, we associate 

a non empty set J(T) of sieves of the category Et of E, above T such that: 

(i) For each map f : Ti ^ T2, and for each element N of J{T2), e J{Ti). 
(The morphism / induces a functor between Et^^ and Et2 abusively denoted /). 

(ii) The sieve N of Et is an element of J{T), if for every map / : T' — > T of 

E, Nf e j(r'). 

A category endowed with a topology is called a site. 
Examples of sites are: 

The category of open subsets of a topological space E, for each open subset 
U, a sieve is a family of subsets {Ui)i^ such that Ujg/ Ui = U. 

Let L be a field, we consider the category Cl whose objects are finite prod- 
uct of finite extensions of L, a morphism Li L2 induces a L-morphism 
Spec{L2) Spec{Li) between the respective spectrum of L2 and Li. We de- 
fine a topology on Cl such that for every extension Li L2, a sieve of Spec{L2), 
is a family of extensions of L2 {Li)i(^i, such that the Galois group Gal{L \ L2), 
where L is the algebraic closure of L, is the inductive limit of the Galois groups 
G{L I Li). 

Notations. 

Let J7ii, ■..,Ui^ be objects of a site i?, we suppose that there exists a final 
objects. Let C be a presheaf of categories defined on E. We will denote by 
the fiber product of Ui^,...,Ui^ over the final object. If is an object of 
C{Ui^), eij*^ ' *'' will be the restriction of e^^ to Ui-^,,,i . For a map h : e ^ e' 
between two objects of C{Ui-^,,i^), we denote by h^r+i -in the restriction of h to 
a morphism between e^p+i- -*" — > g'*p+i---'". 

Definitions 4. 

A sheaf of sets L defined on the category E endowed with the topology J, 

is a contravariant functor L : E Set, where Set is the category of sets, such 
that for each object U of E, and each element R of J{U), the natural map: 

L{U) — > lim{L I R) 

is bijective, where (L | R) is the correspondence defined on ii by (L | R){f) = 
L{T) for each map f : T ^ U in R. 

Let h : F ^ E he a functor, for each object U of E, we denote by Fjj the 
subcategory of F defined as follows: an object T of Fu is an object T of F such 
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that h{T) = U. A map f : T ^ T' between a pair of objects T and T' of Fu, is 
a map of F such that h{f ) is the identity of U. The category Fu is called the 
fiber of U. For each objects X, and Y of Ff/, we will denote by Homu{X, Y) 
the set of morphisms of Fu between X and Y. 

I.l. The topology defined on a network. 

Let be a network, we define the site defined by N as follows: 

First we endow N with the structure of an oriented graph defined as follows: 
The vertices arc the users, there exists an edge from U to V if V can send a 
message to U without the use of a third part. To this graph we can associate 
the category abusively denoted N, such that HomN{U,V) is the set of paths 
between the users U and V of the graph. 

We can define on the category N the topology such that the covering family 
of U is the objects V of N, such that there exists an arrow V ^U. 

The topology defined by a network is not always a topos since we are not 
sure that the fiber products exist. 

We shall often consider the graph defined by A'' to be a the lift to the universal 
cover of the 1-skeleton of a CW^-complex. 

Definition 1. 

A morphism between the networks N and N' is a morphism between their 
oriented graphs, that is a map between N and N' which sends an oriented edge 
of N to an oriented edge of N' . 

A network N is connected if for each users U and U' of N, there exists a 
path between U and U' . 

Definition 2. 

We can also define the following topology: Consider the category Nq, whose 
objects are networks, we can endow with the following topology: A sieve of 
an object N, is a family of networks {Ni)i^i, such that there exists an injective 
map hi : Ni N, such that (Jie/^id I) =1 ^ I' where | A^j | is the set of 
objects of the network A^. 

Definition 3. 

Let N and N' be two networks, U and U' two respective objects of N and 

N', the connected sum of A' and A^' is the network A'.A'^' obtained by identifying 
U and U'. The set of users of N.N' is (A^ IJ ^' - {U, U'}) U {[/" }, where U" is 
an user such that for each user Ui of N, the set of edges between Ui and U" 

is the set of edges between Ui and U in A', for every user U2 of A'', the set of 
edges between U2 and U' in A^' is the set of edges between U2 and U" . 

The connected sum depends on the elements U and U' as shows the following 
example: Let A' be the network with objects U\,U2, U3 and whose set of arrows 
contains only the elements Ui U2,Ui ^ U^, and A^' the network whose set 
of users is Vi, V2, V3, and whose set of arrows is Vi V2, Vi V3. The graph 
of the connected sum of N and N' mUi and U2 is a graph which has a vertex 
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with 4 adjacent edges. The graph of the connected sum of N and A''' in Ui and 
V2 does not have a user such a vertex. 

Thus to endow the set of network with a law, we consider pointed networks. 

Definition 4. 

A pointed network {N, U) is a network N with a pointed clement U. The 
connected sum of the pointed networks {N,U) and {N',U'), is the connected 
sum of N and N' in U and U'. 

A morphism between two pointed networks h : {N, U) — »■ {N', U') is a mor- 
phism h: N ^ N' such that h{U) = U' . 

We can define [C] the set whose elements are isomorphisms classes of pointed 
networks, we denote by [{N,U)] the class of the pointed network {N,U), the 
product of pointed networks induces a product on [C] whose neutral element is 
the class of the network with one user U and without arrow. 

Definition 5. 

Let N he a, network, and h : U ^ [/' an edge of N, (we suppose that h is the 
unique edge between U and [/'), the retraction or the suppression of the edge h 
is the network N' obtained as follows: the set of users of N' is N — {U'}. Let Ui 
and U2 be two uscirs of N, the set of paths between Ui and U2 is the image of 
the set of paths of N by the following application: let {ii = C/i, ...,?„ = U2) be 
a path between Ui and U2 of A^, if there exists I such that ii — [/', we replace 
U' by U. 

The groupoid associated to a network. 

Let A'' be a network, we can define the groupoid Gr{N) associated to A'" 
defined as follows: the set of objects of Gr{U) is the set of objects of A''. Let U, 
V be two users of A^, HomQ^f jff (U, V) is the set of paths between V and U, and 
the formal inverse of the path from U to V. Gr{N) is the groupoid associated 
to the category induced by N. 

Definitions 6. 

Let h : F E he a functor, m : x ^ y a map of F, and / — : T ^ U 

its projection by h. We will say that m is cartesian, or that m is the inverse 
image of / by /i, or x is an inverse image of y by /i, if for each element 2; of i^T, 
the map 

HomT{z,x) Homf{z,y) 
n mn 

is bijective, where Hom,f{z, y) is the set of maps g : z ^ y such that h{g) = /. 

A functor h : F ^ E in a fibered category if and only if each map / : 
T —> U, has an inverse image, and the composition of two cartesian maps is a 
cartesian map. 

We will say that the category is fibered in groupoids, if for each diagram 

X — >z< — y 
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of F above the diagram of E, 

and for each map m : U ^ V such that il}m = (p, there exists a unique map 
p : X ^ y, such that gp = f, and h{p) = m. 

This impHes that the inverse image is unique up to isomorphism. 

Consider a map (j) : U V oi E, we can define a functor (j)* : Fy ^ Fu, 
such that for each object y of Fy, 4'*{y) is defined as follows: we consider a 
cartesian map f : x ~> y above (p and set 4>*{y) = x. Remark that although the 
definition of <p*{y) depends of the chosen inverse image /, the functors (ipi^)* 
and are isomorphic. 

Definitions 7. 

A section of a fibercd category h : F ^ E, is a. correspondence defined on 
the class of arrows of E as follows: to each map f : U ^T,we define a cartesian 
map: : Xu ^ Vt of F, whose image by /i is / such that: ^ = o . 

Definition 8. 

Let C be a site, a torsor /i : P — > C is a fibered category such that there 

exists a section u. 

We suppose that there exists a sheaf H defined on C, such that Homu{nu, njj) = 
H{U), where Homu{nu,nu) is the set of morphisms p : riu ^ riu such that 
h{p) = Idjj, and nu G Pu- 

Every arrow of P is invertible, 

For every object eu, of Pu, there exists a map h: eu ^ ey- 
The classifying cocycle associated to a torsor. 

Let {Ui)ii=i be a covering family of the topology of the site C, and P ^ C, a 
torsor defined on C, for each object U, we consider the object ejj of Pjj defined 
by u^"^ where u is the section. 

Let U be an element of C, suppose that there exists a map di : Ui —>■ U , 
we can define the Cartesian map : ej — > ejj over di, there exists a map 
Ui : Ci ^ ejj. since the fibercd category is connected. Suppose that Ui Xfj Uj 
exists, then we can define the map Uij : e\j. e\j. by UiOUj~^, this make sense 

since the fact that u is a section implies that e\j. is e-y,. 
The family of maps Uij verifies UijUji = uu 

Proposition 1. 

Suppose that C is a site the set of torsors bounded by the sheaf H is 1 to 1 
withH^{C,H). 

Definition 9. 

A torsor P ^ C is trivial if and only if for every object U, and every 
map di : Ui ^ U, the Cartesian map above di is a map Ui : ei ^ ejj, where 

Bi = U^'^"i . 
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Let {Ui)i^j be a covering family of the site C, a torsor on C is trivial, if 
and only if for each object Ui, there exists an element di G Aut{Pu. ) such that 
Wiiia = fii2^ji~^- Indeed since for di : U ^ Ui e\j is e,, Ui is an automorphism 
of e,, thus an element of H{Ui). 

Examples of torsors. 

Let be a differentiable manifold, a principal bundle whose structural group 
is H is an example of torsor defined on the topos defined by the topology of N. 

Let A'' be a network, we have seen that in modern encryption plaintexts are 

encrypted by blocks to create diffusion and confusion. Without restricting the 
generality, we shall call N the category defined by the network. 

We define P ^ N a category fibered over N such that for each user U, the 
fiber Pu is a category whose objects are sets of plaintexts for example, the n- 
dimensional ]Z / 2 ]Z -vector space. A map between two objects lu and I'u of Pu, 
is a bijection defined by an encryption/decryption map, that is a bijective map 
h : Ijj ^ I'u such that for each clement C G lu, h{C) = E{L,C). An example 
of object can be the domain of the D.E.S map which is the 64-dimensional 
vector space. 

Let V be another user of the network, suppose that V can send a message 

to U, which is equivalent to saying that there is a map between huv '■ U ^ V 
in N. A Cartesian map above huv is a map defined by encryption/decryption 
map as above h'jjy : Iv ^ lu- 

This fiber category is a torsor, if for every user U of A^, there exists an object 
lu, in the fiber of U an encryption/decryption map h'jjy : ly ^ lu above each 
map huv -.V ^U, such that {hu^U2 ° hu-^uj = h'u^u^ ° ^'u^u-^- 

Definition 10. 

Let [N, U) and (A^', U') two pointed networks, supposed that there exist 
torsors P ^ N, and P' — > A^' such that Pu and P^, are isomorphic categories, 
then we can define the torsor P.P' over the connected sum of N and N' NN' 
as follows: If Ui is an object of N — {U}, then P.P'ui is Pui, if U2 is an object 
of A^', then P.P'u^ is Pu^- The fiber of the point V which is obtained by 
identifying U with U' is Pu- 
llet hi : Ui ^ Vi be an arrow of A', we lift hi to P.P' to one of its lift 
defined by P ^ A^. Let h2 : U2 ^ V2 be an arrow of A^', we hft /12 to P.P' to 
one of its lift defined by P' N'. 

Contraction of torsor. 

Let A" be a network, and N/^, the contraction of the arrow h : U U' oi N , 
consider the torsor P ^ N,we can define a torsor P/j N^, as follows: consider 
an edge h\ : U\ ^ U2, such that hi is the projection of an edge h2 :Vi ^ V2 of 
A^ by the canonical map A^ N^. Suppose that Vi and V2 are different of U' , 
then the Cartesian map associated to hi is the Cartesian map of /12, suppose 
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that Vi = U' , then h projects to the arrow hi : U ^ U2, the Cartesian map 
above hi is the cartesian map above /120 ft, : i7 — > V2, suppose that V2 = U' , then 
the Cartesian map above hi is h'~^ o h'2, where h'2 is the Cartesian map above 
/i2, and h' is the Cartesian map above h which is assumed to be invertible. 

The Difiie-Hellman torsor. 

The following torsor can be used in public encryption: 

Let C be a finite topos, that is such that the class of objects of C is a finite 
set. Wc suppose that there exists a torsor P ^ C such that for each object 
U, the group of automorphisms of Pu is the multiplicative group E/nE — {0}, 
where n is a prime number, consider a generator a of the multiplicative group 
E/nE — {0}, wc suppose that for every objects U, V of C, there exists njj and 
nv in E such that the transition function defined on U xc V is hn^ o hnY~^, 
where hnu is the function defined on E/nE — {0} by c ^ a"^c, and the final 
object of C is abusively denoted C. This torsor is trivial. 

The public key of the user U is a"'", its private key is njj. Suppose that 
U want to send a message to V, he takes the public key a"^ and calculates 

To decrypt the message, V take the public key a""^' of U and calculates 
a^unv — (^a^v^nu _ "Yhis is the Diffie-Helmann algorithm. The security is due 
to the fact that it is infeasible to calculate discrete logarithm in reasonable time. 

1.2. Connection on torsors and encryption. 

In this part we present the theory of torsors defined on a site, and show 
how it can be used to define public encryption. It is a generalization of the 
Diffie-Hellman torsor. 

Let A'' be a manifold, P ^ N, a. principal bundle whose structural group is 

H, defined by the trivialization (Ui,Uij)ij^j a connection on H is defined by a 
family of 1-forms ai : Ui ^ H, where Ti is the Lie algebra of ff, which satisfy 
the relation: 

a J - at = Uij^^duij 

The curvature of the connection a is the 2-form defined locally by dai + 
at A at. The bundle is flat if the curvature vanishes. Suppose that the group 
H is commutative, then if the curvature vanishes, then (i(a,) = 0, we deduce 
the existence of a 1-chain Ui : Ui H such that d{ui) — ai. The cocycle 
hij = UijUj~^Ui is called the holonomy cocycle of the connection. We remark 
that in this situation the connection is completely characterized by the 0-chain 
{ui)i(zj. This motivates the following definition: 

Definition 1. 

A flat connection on P is a 0-chain Ui : Ui ^ H. We do not suppose 

that our group is commutative. 
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This definition characterizes only flat bundles defined over a manifold when 
the group H is commutative. 

Holonomy map. 

Let Ui and Uj be objects of C, and (ii = i,...,in = j) a path between 
Ui and Uj, wc can defined the holonomy map Hol(a) : Pij. Pjj. which 
is the composition of the following maps: HoU^ : Pui^ ^^n+i '^^^^^'^ by 
Uj.^^^^jUi, Thus Hol{a) = Holi^_^ o ... o Holi^ 

The holonomy map will be used to define example of the encryption map 
between P^^ and Pu^ . 

The holonomy co cycle of the connection is UijUiUj~^ 

If P iV is a principal bundle defined over the manifold N , this is similar 
to the usual definition of connection. 

The holonomy map characterizes completely a torsor over a connected site 
N, which can be defined as a representation Hoi : -Ki{Gr{N)) Pu^, where 
'jTi{Gr{N)) is the fundamental group of the groupoid Gr{N), and Puq the fiber 
at Uq. 

Generalization of the DifHe-Hellmann torsor. 

We consider here networks endowed with the natural topology that we have 
defined. 

Let P — » C be a torsor defined by the generating family (f7i)ie/, and the 
transition functions Uij of the topology of C, we denote by H the structural 
group of P. We suppose that there exists a commutative group H, and a map 
exp : H ^ H, which will play the role of the exponential map of the group H. 
We shall suppose that the exponential map is surjective. 

Definition 2. 

A public encryption defined on the torsor P — > C is defined by the following 
data: 

A connection {ui)i^i defined on the torsor C, we denote by an element 
of H such that exp{ai) = m. 

A ftmction L : H x H ^ V, where F is a commutative group such that 
L{ai, exp{aj)) = L{aj,exp{ai)) 

The public key of the user Ui is exp{ai), and its private key is a^. 

The key that the users Ui and Uj use to exchange data is L{ai,exp{aj)). 

The security of this problem is related to the fact that it is not feasible to 
compute the logarithm of H. 

A particular example of the previous public encryption protocol is the situ- 
ation when the value of the function L is defined the coordinate changes. This 
can be realized as follows: if the torsor is trivial, in this situation there exists 
a 0-chain Ui : Ui ^ H such that ^. We denote a, = Log{ui), 

L[ai,exp{aj) = Uj) = UiUj~^. 
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The secret key of the user Ui is a,, and its pubhc key is Uj. 
Meet in the Middle attack. 

Suppose that an intruder Ui register to the network he can perform the fol- 
lowing Meet-in-the-Middle attack, he calculates L{ai,Ui) = uu, and L{ai,Uj) = 
Uij. Since the inversion is assumed to be a feasible operation. Ui can calculate 
Uii~^uij = Uiiuij = Uij which is the key that share the users Ui and Uj. 

We shall prove that higher non commutative cohomology can enable to 
counter this attack. 

The Grothendieck group of the equivalence class of torsors over a 
network. 

Let A'' be a network, consider two torsors P,P'^N whose fiber are vector 
spaces defined over a field. We can make the tensor product P ® P' of these 
networks, which is itself a torsor over TV. If P and P' are respectively defined 
by the transition functions Uij and u'^j, then P (g) P' is defined by Uij (g) u'^j. 

We can define the dual of P to be the torsor over N defined by the transition 
functions (u-lj)"^, where u*^ is the dual map of it^ . 

We can define the Grothendieck group of this category, which is the group 
whose elements are equivalence classes of the previous torsors. 

Examples of Grothendieck groups can be defined by cryptography: Consider 
a class D of cipher maps defined on a the category of L-vector spaces ( L 
can be thought to be E/2E) stable by addition and tensor product, that is if 
u : V V, and u' : V' ^ V are in this class, wc suppose also that is 
isomorphic to an element oi D, u + u' and u®u' are also isomorphic to elements 
of D. We can consider the category whose objects are torsors P ^ N, such that 
the transition functions elements of D. We can define the Grothendieck 

group of this category. 

Many ciphers in cryptography have the following structure: they are a suc- 
cession of p rounds, and each round is defined as follows: the plaintext is a vector 
of an even dimensional vector space over TZ jlTZ, it is divided in two halves, the 
left half i£'o, and the right half REq^ we have: 

LEi+i — REi, REi+i — LEi + H{REi, LEi, Li) 

where Lj is a round key. After the p-round, the both halves are swapped. 
The decryption map is the encryption map with the keys used in the inverse 
order. 

This class of cipher is stable by addition, inverse, and tensor product. We 
can define its Grothendieck group. 

If we suppose that the transition functions are linear maps, the category of 

torsors defined over a network A'^ is a Tannakian category, it is thus equivalent 
to the category of representations of an affine group scheme. These networks are 



12 



not useful in practice, since they are vulnerable to a chosen ciphertext attack: 
If an attacker can obtain ciphertexts from given plaintexs, to retrieve the key 
he has only to choose a set of plaintexts which is a basis of the vector space V. 
These cipher are called Hill ciphers and are used in the Mix colums operations 
of modern ciphers. 

1.3 Link to Link encryption and torsors. 

Let (7 be a network, an user Ui who sends a message through the network 

to Uj often does not encrypt the whole message: the header, that is the part of 
the message where is recorded the identity of the sender and the identity of the 
receiver, is either in clear, or encrypted and decrypted at every node of the path 
between Ui and Uj, that is, if Ui wants to send the message N to Uj using the 
path (ii = i,...,in = j)- An append A^i called the header of the message is added 
to the message. It cannot be encrypted with the algorithm used to encrypt N 
since in modern network like internet, the route of the message is not controlled 
by the sender, but to be sent from i; to the header is encrypted, by an 
encryption function , we can suppose that this encryption is a symmetric 

encryption, thus the encryption function used by Ui^^-^ to send messages to Ui 
is = if we denote by uu the encryption of the header from 

Ui to Ui, we have uu = UijUji if Uj is an intermediate stage. If we suppose 
that the header are elements of a set E. and the transition functions 
automorphisms of E, these data define a torsor P ^ C over the site C such 
that for each object Ui, Pu^ is a set isomorphic to E. 

The definition of a torsor over a site used to encrypt the header of a message 
can be very useful. Practically, the manager of a network has to define or find a 
simple procedure to define the keys at every nodes for the link to link encryption. 
Often in mathematics a torsor is defined in a global way, without defining each 
coordinates changes, for example: the tangent space of a manifold, or of an 
algebraic variety,., this can enable to save a lot of time in the implementationsof 
a network. 

We propose the following scheme to define a link to link encryption: 
We consider a smooth affine algebraic variety N defined over a finite field, 
we consider a trivialization {Ui)i^i of one of its canonical bundle like its tangent 
bundle. We can define a network whose users are the Ui, the transition functions 
of the bundle considered are the keys used for link to link encryption. 

Under reasonable conditions on the structure of the encryption algorithm of 
the header, the previous remark is always true: 

Proposition 1. 

Suppose that the header is written in an alphabet which can be identified with 
a scheme, and the transition functions are morphisms of scheme, the objects Ui 
are schemes and the transition functions define an effective descent datum, then 
there exists a torsor P ^ C of schemes, such that the typical fiber is the alphabet 
endowed with its scheme structure. 
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Suppose that the transition functions do not define morphisms of a scheme, 
the network topos defines the 1-skeleton of a CW-complex N, (the CW- 
complex is not necessarily unique) the transition functions define a flat bundle 
on N. 

1.4 Key distribution Center and initial object. 

One of the big challenge in symmetric encryption is to estabhsh protocols of 
distribution of keys in a network. When the participants are not very far each 
other, this can be accomplished by physical distribution. When the number of 
members of the network is very big, physical distribution is quite impossible, a 
solution of this problem is to ask to a third part to distribute keys to participants, 
such a third part is called a Key distribution center. The key distribution center 
share a master key with each user that he uses to send sessional keys. 

Let D be the key distribution center of the network C, we assume that C is a 
site, and the members of the network arc objects of C, the key distribution center 
must have a connection with every participant, since a connection between D 
and the object U can be represented by a map Homc{U,D), we shall assume 
that D is the initial object in the category C. Suppose that D distributes keys 
in a link to link network, we have seen that we can represent such a network by 
a torsor P ^ C, for every object f/j of C, there exists a map Uid : Pui — > Pd, 
this map is the master key used by U. 

Suppose that Ui wants to establishes a connection with Uj, there exists many 
protocols in the literature that he can use, for example: 

Ui sends to _D a message encrypted with Uid which contains an identifier 
IDjji of Ui and an identifier IDu^ of Uj . 

The key distribution center replies to Ui by sending the sessional key uji 
encrypted with Uid, 

The key distribution center sends to Uj a message encrypted with Ujd which 
contains the key Uij and an identifier of Ui 

The link to link encryption is defined by a torsor over a site, we have seen 
that under reasonable conditions, we can suppose that this torsor can be defined 
as a flat bundle over a scheme, or a differentiablc manifold. Flat bundle over a 
manifold N is determined by a representation of the fundamental group of N 
which defines the holonomy. Thus it is completely determined by the 2-skeleton 
of the manifold, in practice we shall consider differentiable surface, or algebraic 
surfaces in link to link encryption. 

The knowledge of the genus of the surface used to define keys in a link to 
link network can be a very useful information for an attacker because the space 
of flat bundles over a surface of a given genus is an object which is well-known 
in mathematics. 

Suppose that an attacker L wants to make an attack on the link to link en- 
cryption network. His purpose is thus to determine keys used to encrypt header 
of the messages sent in the network. This can be a very useful information, since 
this will enable L to know the identity of the peoples who send messages in the 
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network. A possibility for L is to perform a brute force attack: We assume that 
the messages are written in binary and their length are n, and L have a set of 
chosen plaintext ciphertext for each couples of users {Ui,Uj), we assume also 
that there docs not exists spurious keys, thus to determine the key used by Ui 
and Uj, L must try 2"! keys if the header are written with n-bits, if there exists 
N participants, he has to make C^2"! operations. But if L knows the topology 
of the network, that is the genus of the surface used, he can determine the car- 
dinal of a set of generators of the fundamental group the surface involved, this 
number can be small, whenever the number of the participants of the network 
is huge, the holonomy is parameterized by the image of the generators of the 
fundamental group, thus the topological information about the surface can be 
a crucial information when N >>> 0, and the genus is small, since in this 
situation a brute force attack is impossible. 

1.5. Implementation of the link to link encryption. 

One of the main challenge in computer science is to define less expensive 
algorithms, that is an algorithm which can be computed in reasonable time 
with a computer. It has been shown that every algorithm can be computed 
with the Turing machine, but to be efficient the implementation must be run 
with an existing computer. 

To define link to link encryption defined on a site C, we need a priori to 
define each couple of keys Uij for any users Ui and Uj of C. We shall show how 
the holonomy representation can reduce the algorithm. 

We shall assume that the torsor P ^ C which defines the link to link 
encryption is a bundle over a surface N^. We endow the surface with a CW- 
structure, and perform a cutting along the 1-skeleton. We assume that the 
genus of the surface is different of zero. The surface is then the quotient of 
an hyperbolic or Euclidean polygon. The vertices of the polygon represent the 
0-skeleton of the CW-decomposition. Each edge uiUj projects to A^2 to define 
an element of 7ri(A^2)- 

There can exists in the network elements different of the vertices, these 
elements can be considered to be element U2n+i, ...,'U2n+p in the interior of 
the polygon. Thus the users of the network are the vertices ui,...,U2n and 

U2n+1, U2n+p- 

We suppose that the messages conveyed in the network are written in binary, 

and are encoded in block of length I. As before, we shall assume that the 
fiber is an algebraic variety, and the transition functions are element of the 
automorphisms group H of this variety. 

The bundle P ^ N2 is defined by a representation h : 7ri(7V2) H. 

We can define the algorithm: 

Write "Enter the vertices" 

From i = 1 to i = 2n 

Write enter Uj, read Ui 

Write "Enter the interior points" 
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For i=p+ltoi = 2n+p 
Write enter Ui, read Uj 
Write "Enter the holonomy" 
For z = 1 to i = n — 1 do 
Write enter uu-^i, read uu+i 
Write "enter Uni, read u„i 
Uii = Id 

For i = 1 to i = n do 
For _7 = i + 1 to j = n do 

For i = 1 to i = 2n + p do 

For j = 2n + 1 to j = 2n + p do 

Uij = Id 

This program enter the keys needed to define a hnk to link encryption defined 
by a torsor P ^ C isomorphic to a bundle over a surface of genus n. 

II. Non abelian cohomology and End to End encryption. 

Wc have seen that the notion of torsor is not a good notion to provide secrecy 
in End to End encryption. We shall provide a method of encryption using non 
Abelian cohomology. 

II. 1. Gerbes and encryption. 

The notion of gerbe have been defined by Giraud to study gluing problems 
in geometry. Let /i : P — > iV be a principal bundle defined over the manifold iV, 
whose structural group is H, suppose that there exists an extension 1 ^ iJi — > 
H2 H, a, fundamental question in geometry is to define a principal bundle 
h' : P' ^ N whose structural is II2, such that there exists a map I : P' ^ P 
such that hoi = h'. This problem has been one of the motivation to formulate 
gerbe theory. 

Proposition-Definition 1. 

Suppose that E is a site whose topology is generated by a covering family 
{Ui U)i^i, and h : F ^ E a fibered category in groupoids. For each map 
f : U —> V of E , we consider the functor rjj_v{f) '■ Fy — > Fjj defined as follows: 
For each object y of Fy, ru,vif){y) is an object x of Fu such that there exists a 
cartesian map n : x ^ y such that h{n) = f . Consider the maps vi : Ui ^ U2, 
andv2 -172^113 ofE, the functors ru^_ij^{vi) orij^^u^{v2) and rjj^^u^{v2Vi) are 
isomorphic. The functor h : F ^ E is a sheaf of categories if and only if the 
correspondence U ^ Fu = F{U) satisfies the following properties: 

(i) Gluing condition for arrows. 

Let U be an object of E, and x, y objects of F(U). The functor from Ejj , 
endowed with the restriction of the topology J, to the category of sets which 
associates to an object f : V ^ U the set IIomv{rv,u{f){x),rv,u{f){v)) is a 
sheaf of sets. 
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(a) Gluing condition for objects. 

Consider a covering family {Ui U)i^i of an object U of E, and for each 
Ui, an object Xi of F{Ui). Let tij : — > x^, a map between the respective 
restrictions of Xj and Xi to Ui Xjj Uj , (we suppose that the fiber product over U 
exists) such that on Ui^ Xjj Ui^ Xjj Ui^, the restrictions of the arrows ti^i^ and 
iiii2*i2i3 ^'^fi equal. There exists an object x of F{U) whose restriction to F{Ui) 

If moreover the following properties are verified: 

(Hi) There exists a covering family {Ui U)i^i of E such that F{Ui) is not 
empty, 

(iv) For each pair of objects x, and y of F{Ui), HomUi{x,y) is not empty 
(local connectivity), 

(v) The elements of HomUi{x,y) are invertible. Thefibered category is called 
a gerbe. 

(vi) We say that the gerbe is bounded by the sheaf Lp defined on E, or 
that Lp is the band of the gerbe, if and only if there exists a sheaf of groups 
Lp defined on E such that for each object x of F{U) we have an isomorphism: 

Lp{U) — > Homu{x,x) 

which commutes with restrictions, and with morphisms between objects. 

The classifying cocycle of a gerbe. 

Wc suppose that the site C is defined by a covering family {Ui)iQi, such that 
is not empty. 

We consider an object Ui of Pu^ , let be the restriction of Ui to Ui Xu Uj , 

(where U is an object such that the fiber products over U exist) the local 
connectivity implies the existence of a map there exists a map Uij : u\ — > u^- , 

On Ui Xu Uj Xu Ui = Uiji, we have the objects uf ,u^j ,u\^ , we can define 
the map Uiji = uuUijUji : uY — > , this map can be identified with an element 
oiL{Uiji) 

Theorem 1. 

The family of maps Uiji defines a non commutative 2-Cech cocycle. The set 
of equivalence classes of gerbes bounded by H is one to one with H'^{C, L). 

To apply this construction to the problem mentioned at the beginning of 

this paragraph, we define the following sheaf of categories: for each open subset 
U of iV, we define the category C(U) such that the object of C{U) are bundles 
whose structural group is H2, and such that the quotient by Hi is the restriction 
of P to U . The sheaf of category U C{U) is a gerbe defined on C bounded 
by the sheaf of Hi valued functions defined on N. 

II. 1.2. A protocol to define end to end encryption and link to link 
encryption with gerbe. 
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Consider a network N, endowed with the topology that we have defined 
above. Let C ^ N he & fibered category such that for each object U of A'', 
Cu is a category whose objects are isomorphic to a set of plaintext /ciphertext, 
for example objects of Cu can be isomorphic to a _K^/2_K^-vcctor space. A map 
between two objects of Cjj is an encryption/decryption map. We suppose that 
there exists a sheaf on N, such that for each object eu of C{U), Aut{eu) = 
H2{U), and this sheaf is the band of the gerbe defined by C. In practice, this 
gerbe can be defined as follows: we suppose that there exists an exact sequence 
of sheaves 

defined on TV. There exists an iJ-torsor P ^ N, such that the fiber Pu is a 
set of plaintext/ciphertext used to write the header of messages conveyed in the 
network. Consider the gerbe C which represents the geometric obstruction to 
lift the structural group of P to _ff2l. for each object U of C, the objects of Cjj 
are plaintexts these are the messages conveyed in the network. The projection 
of these objects to Pu is their respective headers. 

We can modify the previous example as follows: we suppose that the header 

of the message arc written with an alphabet which has the group structure H, 
and the main part of the alphabet is written with an alphabet which has the 
group structure Hi. In this situation the transition functions are keys of en- 
cryption/decryption of monoalphabetic ciphers, since they are applied to each 
letter. To create confusion and diffusion, we can assume that the encrypted 
plaintexts are encrypted by blocks, and the transition functions defined polyal- 
phabetic ciphers which are more resistent to the statistical study of the common 
properties of a set plaintext/ciphertext. 

This kind of protocol can be applied to internet in the email distribution, 
since the route of the message is not defined by the sender, thus the encryption 

of the header cannot be encrypted using the key used to encrypt the main 
message: The header is written with H and the main part of the message with 
Hi. 

Meet in the Middle attack of encryption defined by gerbes. 

The following attack can be performed on the previous encryption protocol: 
Suppose that there exists three intruders in the networks, Ui, Uj, and Ui 
suppose that they want to obtain the secret key used by the users Uc and 
Ud, they know the keys Uic, Uid, Ujc, Ujd, uu, Uji, Ud, Udi thus they know the 
quantities Uijc = UciUijUjc, Uijd, uuc, and uud, using the fact that the classifying 
cocycle of the gerbe is trivial (we assume the band to be commutative), we 
obtain: 

and 



18 



Ujcd - Ulcd + Uljd - Uljc = 

This implies that 

Ulcd - Uljd + Uljc - Uicd + Uijd - Uijc = 

Thus the intruders can deduce the value of uicd — Uicd since they know the 
values oiuijd, uijc, Uijd, m^c we know that uicd = UdiuicUcd, and Uicd = UdiUicUcd 
since the intruder know Udi, uic, Udi and Uic, they can deduce the key Ucd if Udiuic 
is different of UdiUic~^. 

This type of attack cannot be performed with two intruder, if wc consider the 
cocycle relation Ujcd — Uicd + Uijd — Wyc = 0, the substraction of the expressions 
Ujcd = UdjUjcUcd and —Uicd = —UdiUicUcd implies the cancellation of Ucd thus 
Ucd cannot be written as a function of the other keys. 

Remark that a network with 3 users whose plaintext /ciphcrtext are element 
of a given set, and the encryption/decryption maps are automorphisms of this 
set is always a gerbe since the cocycle relation is always verified. 

We shall define a notion of higher non Abelian cohomology which can enable 

to coLmter the previous attack. What can be expected is the fact that there exists 
a notion of n-gerbe such that every network of n-users which share information 
written in the same alphabet is a n-gerbe. Unfortunately, the question of the 
existence of a theory of n-gcrbc is a deep question in mathematics which is 
not completely solve nowadays. The first author of this paper has provided 
a cohomological description of cohomology classes of higher rank, there other 
theories such as the thesis of Zouhair Tamsamani. 

II. 1.3. Connective structure on gerbe and public-key encryption. 

Let iV be a differential manifold, and C a gerbe defined on N, we shall 
suppose that the gerbe C is bounded by a commutative group L and denote by 
C the Lie algebra of L. The notion of connective structure on gerbe have been 
defined by Brylinski and Deligne to study the differential geometry of gerbes, 
and of infinite dimensional bundles. It this the notion analog to the notion of 
connection defined on manifolds. 

Definition 1. 

A connective structure defined on the Abelian gerbe C N, bounded by 
the commutative group L is defined by: 

For each open subset U of N, and each e(j of C{U), a torsor Co{ei/) of C 
valued 1-forms defined on U, which is called the torsor of connections. 

We suppose that Co{eu) behaves naturally in respect of restrictions. 

For every maps u : ejj ^ between the objects ejj and e'^ of C{U), there 
exists a map u* : Co{eu) Co{e'jj) compatible with the composition and 
restriction to smaller subsets. 

For each morphism h of eu, and each element Ve^ of Co{eu), we have: 
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ft,*Ve„ = Vef^, + h ^dh 

Let {Ui)i^i be a trivialization of the gerbe, that its a covering family of N 
such that C{Ui) is not empty andt its objects are isomorphic each others. We 

consider e,; an object of C(t/,;), and an clement ai € Co{ei) in Ui fl Uj, we can 
define aij = aj — Uij*ai, we have the relation: 

(1) ctji - an + aij = Uiji'^duiji 

Definition 2. 

The curving of a gerbe is defined as follows: 

For each object eu of C{eu), and each connection Ve^, of Co{eu), a 2-form 
H{eu) defined on U such that for each 1-form a defined on U, HCVeu + a) = 
H{eu) + da. 

A connective structure is flat if and only if the curving is zero. 

Suppose that the curving of a connective structure is zero, and the gcrbc 
is defined by a good cover {Ui)i^i, we choose an object of C{Ui), and an 
element a^ of Co(ei), we have aj = tty + a^, since the curving is zero, H{ai) = 
H{aj) = 0. This implies that d{aij) = 0. Thus there exists Cij : Uij C such 
that dcij = aij. The equality 1 implies that d{cji — cu + Cij) = dLog(uiji). 

Denote by c'^j = exp{cij). The 2-Cech cocycle UijiCjicu^^Cij is the holonomy 
cocycle. 

We remark that the fiatness of the bundle is completely characterized by the 
fact that the family of 1-form aij are closed, thus by the existence of the cocycle 
c'^j. This motivates the following definition: 

Definition 3. 

Let D be a gerbe defined over the site C, bounded by the commutative sheaf, 
a flat connective structure of C is a 1-Cech L-chain. 

An example of connective structure deflned on a gerbe is a connective struc- 
ture defined on gerbe C defined by an extension problem 1 — > ifi — > H2 — > 
— » 1 as follows: 

Consider the if-principal bundle P ^ N, and a connection V defined on P, 
for each object eu of C{eu), we can consider the set of connections of eu which 
project to the restriction of V to U. 

If the bundle P ^ N is flat, we have seen that a connection is deflned by 
a 0-chain Ui L, this motivates the following deflnition that will be used to 
define symmetric encryption: 

Definition 4. 

Let £> be a gerbe defined on the site C, we suppose that there exists a flat 
torsor P ^ C such that C is the gcrbc associated to the lifting problem defined 
by the exact sequence 1 ^ Hi ^ H2 ^ H ^ 1. A connective structure on C, 
is a I-H2 Cech chain ci defined on C, such that there exists a 0-chain cq, such 
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that ci is the hft of the boundary of cq by the map H2 H . We shall denote 
this connective structure by (co,ci), or {ci,Cij) in local coordinates. 

To define the classifying cocycle of the gerbe D, we consider a triviahzation 
Ui,u^ of the torsor P, let [c] denote the cohomology class of this cocycle, the 
classifying cocycle is obtained by the image of [c] by the map H^{C,H) — > 
H'^{C, Hi). We can defined the element Uij which projection by the map H2 — > 
H is M-j. 

Definition 5. 

Let £> be a gerbe defined by an exact sequence, (cj, Cjj) a connective structure 

defined on _D, we consider a lift of Cj in H2, using the map H2 ^ H. A public 
encryption defined on the gerbe C, is defined by the following data: 
A function J : H2 x H2 —>■ H2, 

such that for every J{Ln{d^^ c'j) = Uij. 

This encryption is more secured than the encryption defined by a torsor 
since the Chasles relation is not satisfied by the family of Uij. 

The private key of the user f/j is Log{c'^), and its public key is c-, as usual 
the secrecy is due to the fact that it infeasible to compute the logarithm in a 
reasonable time. 

II. 3. Non commutative cohomology and probabilistic theory of 
ciphers. 

The purpose of this part is to study the unconditional security of the ciphers 
defined with a gerbe. 

Let N he a. network, C/j and Uj users of N, we suppose that Ui and Uj 
exchanged texts written in an alphabet, and these texts are encrypted by blocks 
which are element of a set E. We suppose that the encryption in the network is 
defined by a gerbe D, and the objects of Du^ are isomorphic to E. We shall first 
study the following question: what is the probability that Ui sends the plaintext 
C to Ui by following the path (ii = i, z„ = j). 

The local study. 

We study first the probability for a given cipher encrypted by Ui to be 

received by Uj where there exists an edge between U and Uj. The plaintexts 
that Ui encrypts or decrypts are elements of an object Ei of the fibers Cui- We 
suppose that Ei is endowed with a probability. To each plaintext P- of Ei we 
assign the probability p\. 

The keys used by C/j are the transition functions Uji, the cardinal of the set 
of this keys is the cardinal of the band H2 of the gerbe. This is due to the fact 
that the set of transition functions between Ei and Ej is in bijection with the 
band. The set of keys Uji used by Ui to send messages to U is a probabilistic 
space we denote the probability of the key Uj^, dj^. We assume that the choice 
of a plaintext is an event independent to the choice of a key. 
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Consider the probability space Uji x Ei, endowed with the product of the 
probabihty of Ei and Uji. A cipher Cj is received by Uj is represented by the 
subspace of Uji x Ei whose elements {uji,Pj) verifies Uji{Pj) = Cj. Thus the 
probability pc^ to obtain the cipher Cj is: 

PleE,y.,eUjiy^,iPl)=Cj 

The global study. 

Wc consider now the situation when Ui sends a plaintext Pj^ to Uj true 
the network, by following the path (ii = = j). When an user f/j^ 

receives a plaintext/ciphertext from Ui^_^, he uses a key Ui^^^i^ chosen ran- 
domly to send a message to Ui^^-^. Thus we consider the product of proba- 
bility spaces np~"~^[/ijj^jip X Pi^. An event of this space is a collection of 
events (wi^i, Pj), (wj^i^, PjJ, Pi„_ J. The probability pc^ represents 
the probability of the plaintext/ciphertext to be obtained by Uj when a mes- 
sage is sent by Ui conveyed in the path {ii = i, ...,in = j).: 



PC, 



J2 d\\^Vid\li^Pi^...d)l 

,(Ap)=P.p+i,«,.„_i(P,„_i)=C, 



Where d^i^^^i^ is the probability of the key Ui^^^i^, and Pi^ the probability of 
the event Pi^ . 

The probability pcj depends on the path used by Ui to send a message 
to Uj as shows the following example: consider the network whose set of users 
is {?7i, C/27 C^3, C^4}, and such that there exists a path between {t^i, C/2}, {^^2; 1^4}, 
{C/i, J/s}, {J/a, C/4}. We assume that each user Ui has a couple of plaintext/ ciphertext 
PI, Pj. We denote by Uji, the unique key between Ui and Uj. Suppose that the 
probability of the plaintetx/ciphertext Pf to be received by C/4 from U2 is 1, 
the probability of P^ to be received by C/4 from C/3 is 0, a message sent by Ui 
to C/4 using the path U1U2U4 is different to a message sent by Ui to C/4 using 
the path C/1C/3C/4. 

Consider a set of plaintext/ciphertext Pi £ Ei, Pi^_-^ £ £^i„_i • The condi- 
tional probability of the plaintext/ciphertext Cj to be realized given Pi,..., Pi„_-^ 
is: 



The Bayes formula implies that the conditional probability P(Pj,..,Pj^_ jic^ 



. PCi\(Pi Pi ) 

is — 

PC. 
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Definition 1. 

A path has perfect secrecy if and only if p(p^ p^ = PiPi2---Pi„-i- That 

is, if the knowledge of a ciphertext obtained by Uj by an attacker does not give 
him information about the plaintext/ciphertext chosen at every node. 

Proposition 1. 

Suppose that at every node, (1,12), ■■■,{in-i,j) there exists perfect secrecy, 
then the path {ii = 1,12, j) has perfect secrecy. 

Proof. 

Suppose that there exists perfect secrecy at every node. Let Pi € Ei,Pi^ G 
■Eis, ...Pj„_i G Ei^-i, we have: 

If we multiply pi, ...,pi^_^ using the previous formula, we obtain the result. 

Suppose that the system has perfect secrecy, and the probability pcj > 0, 
for any set of plaintexts/ciphcrtcxts Pi G Ei, Pi^_^ G Ei^_^, we have pc^ = 

P{^j I (-Pi) ••) = Z]ui2,(P,)=P,2,- -,">„„ij(Pi„_i) = f3 '^**2"-'^jjn-l > ^^^^ 

implies that there exists Ui-^i, ...,Uji^_-^ such that Mipip_i (Pip_i) = Pip- Thus the 
cardinal of the set of keys (that is the cardinal of H2) used by J7ip_i is greater 
than the cardinal of the set of plaintext/ciphertext used Ui^ which the cardinal 
\ E \ oi E. The following result is a corollary of the Shannon theorem: 

Theorem 1. 

Suppose that the user Ui sends message to Uj using the path (ii — i, in — 
j). Suppose also that \ E \ = \ H2 \, Then the path has perfect secrecy if the 
following conditions are saiisfied: 

Every key is used with the probability 

For every set of plaintetxt/ciphertext {Pi G Ei, ...,Pj^_^ G Ei^_/), and every 
set of plaintext/ciphertext P/^ G Ei^,..,Pj G Ej, there exists an unique set of 
keys ui^i, ■■,Uji^_^ such that Uipip_^{Pi^_/) = P/^. 

Proof. 

The Shannon theorem shows that there exists a perfect secrecy at every node 
{ip-i,ip) if and only if every key is used with probability and for every 

plaintetxt/ciphertext Pip_i, and every plaintetxt/ciphertext P/^, there exists a 
unique key Wipi^.i such that Ui^i^_^{Pi^_J = P^^. 

Thus we have to show that the fact that for every set of plaintetxt/ciphertext 
(Pi G Ei, Pi^_^ G Ei^_/), and every set of plaintext/ciphertext P/^ G Ei^ , .., Pj G 
Ej, there exists an unique set of keys Ui^i, ■■,Uji^_^ such that Wipip_i (Pip_i ) = 
P/^ implies that for every plaintetxt/ciphertext Pip_i , and every plaintetxt/ciphertext 
P/^, there exists a imiquc key Ui^i^_^ such that Ui^^i^^_^{Pi^_/) = P'^ which is 
the second hypothesis of the Shannon theorem at every node. This is straight- 
forward. 
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The entropy cocycle. 

In this part we are going to study the entropy of data conveyed in a network. 
Definition 2. 

Let U he a random variable defined on the set {ui, wc denote by pi 
the probability of the event U = Ui. The entropy H{U) = — Yli^~^ PiLn{pi) , 
where Ln is the logarithm. 

Let V be another random variable defined on {yi, ...,Wp}, wc denote by p[ 
the probability of the event V = Vi. We denote by H(U \ Vj) = — Y^^~^p{ui \ 
Vj)Ln{ui \vj). 

We denote by H{U \ V) = X)-!? H{U \ Vi). 

The entropy H{U) quantify the information given by the variable U, and 
the relative entropy H{U \ V) quantifies the information given by the variable 
U if we know already the information given by the variable V. 

Proposition 2. 

Let N be a network, Ui, and Uj users of N , we suppose that the keys are 
defined by a gerbe C defined on N, let Vji the space of keys that Ui uses to send 
messages to Uj, the entropy H{Vji) is a 1-Cech cocycle. 

Proof. 

Let Ui, Uj and Ui be users of A^, wc have to show that H{Vji) — H{Va) + 
H{Vij) =0. The set of keys Vu is the set of automorphisms between Ei Ei 
which can be viewed as composition of elements Uij o Uji. The probability 
measure on Vu is thus the product of the probability measures of Vij and Vji, 
since we have assume that the choice of keys at each node are independent. Let 
Pij be the probability of u,j , and pji be the probability of Uji , the probability 
of Uij o Uji is PijPji ■ We deduce that 

H{Vii) = ^ -PijPjiLn{pijPji) 

uijeVij,UjieVji 

X] PijP3i{Ln{pij) + Lnipji) 

Uij EVij,Uji ^Vji 

= ( X! Pi^^^~ X PijLn{pij) + { ^ Pij){- ^ PjiLn{pji) 
= H{Vij) + H{Vji). 

This implies the result. 

The following result is well-known in the theory of information: 
Theorem 2. 

Consider a network, and users Ui and Uj of the network, we denote by Vji the 
set of keys used by Ui to send messages to Uj, Pi the set of plaintetxt/ciphertext 
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used by Ui, and Pj the set of plaintext/ ciphertext used by Uj, then H{Vji \ Pj) = 

H{V,,) + HiP)-HiP,). 

We can show the following result: 
Proposition 3. 

In a network, the quantity H{Vji \ Pj) is a 1-Cech cocycle. 
Proof. 

We have to show that for users Ui, Uj and Ui of N, H{Vij \ Pi) — H{Vii \ 
Pi) + H{Vji \Pj)= 0. We have: 

H{Vij I Pi) - H{Vu I Pi) + H{Vji I Pj) = 



H{Vij) + H{Pj) - H{Pi) - {H{Vu) + H{Pi) - H{Pi)) + H{Vji) + H{Pi)-H{Pj) 

= H{Vij)-H{Vii)+H{Vji) = 
Since we have shown that H{Vij) is a 1-Chain cocycle. 

III. Higher non Abelian cohomology and End to End encryption. 

Non commutative geometric cohomologies are needed in geometry to repre- 
sent higher cohomological classes. These theories are also studied in theoretical 
physics to interpret the action in string theory. The main difficulty to construct 
such a theory is to define a theory of n-categories, the notion of 2-category has 
been defined by Benabou, for n > 2, the coherence relations needed to define 
such a theory increases considerably, there exists many attempts to define such 
a theory, for example the thesis of Zouhair Tamsamani. We shall present now 
the notion of non Abelian cohomology that we shall use to define end to end 
encryption. This notion is presented in the paper [5], and does not use a the- 
ory of n-category. The idea is to define recursively geometric representation of 
cohomology classes. This theory can be viewed as the geometric representation 
of the connecting morphism associated to an exact sequence of sheaves. 

Definition 1. 

A tower of torsors defined on the site C, is defined by a sequence of functors 
Fn — *■ Fn-i ...Fq — » C, such that: 

Fq ^ C is a torsor bounded by the sheaf Lq, 
The projection pi : Fj+i — > Fi is Cartesian, 

There exists a sheaf Li defined on C such that for each object ej, Autp._^(^g.^{ei) = 
Li{pf)...pi^i{ei)), where Autp._^i^^.-^{ei) is the group of automorphisms of Cj, 
which project to the identity map of pi(ei) 

The classified cocycle associated to a tower of torsors. 
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Suppose that the sheaf Li are commutative, we shall associate to each tower 
of torsors F„ Fu-i-.-Fq C a cohomological cocycles (ci, c„+i) defined 
recursively: 

Wc consider an object of F^yjj. , and a map Uij : , the family of maps 

{uij) define a 1-cocycle, which is the classifying cocycle of the torsor Fq C. 

Since the the functor Fx Fq is cartesian, we can find a map w : e'j e ■ 
of Fi whose projection to Fq is Uij , 

Proposition 1. 

The family of maps Uiji = u'-iu'^~^u[j defined a 2-cocycle. that we denote 02- 

The sequence Fi ^ Fq ^ C defines a gerbe over C whose band is Li, C2 is 
the classifying cocycle of this gerbe, the family (ci, C2) is the classifying cocycle 
of the tower of torsors Fi — > — * C- 

Supposed defined the classifying cocycle of the tower Fi Fi-i ... 
Fq — > C, it is a family of cocycles (ci,C2, ...,Ci+i), where for < I < i + 1, ci 
is a Z + 1- L(-cocycle. We denote by Ui^,,^.^^ the chain which define the i + 
cocyclc, it is an automorphism of the object eij...ij_^j^ of Fi over Ui-^,,,i-^-^, since 
the map .Fi+i Fi is cartesian, we can lift Ui^,,i._^_2 to a map u'i^ i^.^^ of the 
object eii...jj_^2 of -Fj+i, we suppose that ei^,„i^_^_2 projects to the restriction of 

Proposition 2. 

the Cech boundary S{ui.^ i.^^) = Ui-^,,,i._^^ is an i + 1-Li^i-Cech cocycle, 
which is the classifying cocycle. 

We denote by c,+2 the i + 2-cocycle defined by the chain Ui^,,,i^_^_^, the family 
of cocycles (ci, Ci+2) is the classifying cocycle of the tower Fj+i — > Fq — > C. 

Let U be an object of C, and ejj an object of Fo{U), we denote by fneu^ the 
fiber of eu, it is the n — 1 tower Fne^ ~^ ■■■^leu ~^ ^u, such that Fi^^ is the 
subcategory of Fi, whose objects project to eu- We endow eu with the topology 
off/. 

Let Ui and Uj be objects of C, and ej/. and euj two respective objects of 
Coui ^^'^ ^oujj a niap Uij : Bj — > induces a morphism ufj : /„g^. — > fne^of 
n — 1-tower of torsors between the fibers of ej and e,. 

Example. 

Let C be a site, consider a torsor Fq — > C, and a family of exact sequences 
1 — > Z/j+i — > Li_^_i — >ij^l,0<t<n. This sequence induces the following 
tower of torsors: Fi is the category defined as follows: an object ejj of Fi is an 
L[ torsors defined over object U of C, such that the quotient of by Li is the 
restriction of Fq to U. 

Suppose defined the category Fi, « < n — 1, an object e'^^ of Fi+i is an 
-C'i+i-torsoes over object U of C such that its quotient by I/j+i is the restriction 
of an object of Fi to U. 
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III.l. Encryption with a tower of torsors. 
Definition 1. 

Let C be a tower of torsors, and F„ — > F„_i — > ...Fq — ^ C a tower of torsor 
defined on C, we suppose that the objects of C are members of a network, 
and for each object U of C, the objects of the category F„ which project to U 
are isomorphic to an trivial torsor defined on U, where L'^^^i is a finite 

(commutative) group that we identify to the alphabet used in the network. The 
encryption defined by the tower of torsors C, is the encryption such that the 
exchange between Ui and Uj is defined by a map uj^ : e" ^ , where e" and 
ef are objects of F"' whose respective projection on C are Uj and Ui. 

This protocol of encryption can be applied to the previous example of tower 
of torsors. Wc have seen that in a network, the information is hierarchical, in 
a network in which encryption is defined by a tower of n-torsors, the alphabet 
is L'j^^i which can be viewed as a union of the alphabet L^,0 < i < n. The 
information written with the alphabet Lq = Lq is the header, which is encrypted 
and decrypted at each node. We are going to see, that the the most n is big, 
the most it is difficult to break information conveyed in the tower of torsors. 
Thus the natural order of the alphabet define, an order of confidentiality on 
the message. 

Attack on encryption defined by a tower of torsors. 

We have defined an attack for an encryption protocol by defined by a gerbe, 
we shall generalize this attack to an encryption protocol defined by a tower of 
torsors. We remark that an encryption defined by a tower of torsor is a priori 
more secured than an encryption defined with a gerbe, since the the relations 
between the keys are more complicated in the tower of torsor than in the gerbe. 

We suppose that we can define an attack for a tower of torsors ^ ^ 
Fq —> C, using n + 2-intruders, this is equivalent to saying that given n + 2 
intruders C/i, Un+2, and two users Ui and Uj of the network, we can define 
attack which allow Ui, Un+2 to find the key 

let fn+i = Fn+i Fn ^ ■■■Fq ^ C, be a tower of torsors which defines an 
encryption scheme over the topos C, Suppose that there exists n + 3 intruders 
in the network, denoted by Ui, Un+?,- Wc can construct the topos Cu-^ whose 
final object is U\, and whose topology is generated by the covering family {Ui Xc 
f/J, the restriction of Fq to Cui is trivial, we can thus construct the tower of 
torsors ...F^ Cui, where Fl is the fiber Fi+ijj^ of Fi+i over Ui. This 

sequence is an n-tower of torsors, its classifying cocycle can be constructed using 
the restriction of the transition functions u/p oi Fq ^ C to Cu^ , the recursive 
hypothesis implies that the encryption protocol that it induces can be broken 
with n + 2-intruders, since Ui xq U2, ■■■,Ui xq Un+3 are intruders, we deduce 
that the encryption system can be broken. 

The encryption protocol with n-tower of torsors gives rise to the following 
problem: Let N he a, network which users are f/i, ?7„, we suppose that the C/, 
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arc objects of a topos, and they communicate with plaintexts written in a finite 
alphabet which can be identified to an algebraic variety V over a finite field, we 
suppose that the keys are elements of the group H of algebraic automorphisms 
of V. Is there a tower of gerbc, or a notion of n-gerbe such that the keys are 
defined using the previous protocol? 

Proposition 1. 

Suppose that there exists an exact sequence 1 ^ H\ ^ H ^ H2 ^ I such 

that UijUjiuii £ Hi, then there exists a gerbe D ^ C such that the encryption 
protocol associated to D defines the keys of the cryptosystem. 

Proof. 

The projection p : H ^ H2 induces a torsor P ^ C, whose trivialization 

is defined by the transition function p{uij), the gerbc associated is the gerbe 
defined by the extension problem of the exact sequence. 

II. 2. Public encryption and tower of torsors. 

We shall define public encryption using tower of torsors, on this purpose we 
need to define a notion of flat tower of torsors and connective structure on flat 

tower of torsors. 

Definition 1. 

A connective structure defined on the tower of torsors Fn F„_i...Fo — > C, 
is a 0-chain of the sheaf Lq. 

This definition generalizes the corresponding definition for torsors and gerbes. 

In practice as we have seen in the example defined above, the objects of Fi 
are -^.^-torsors defined over an object of C. The map m-^- : ej- — > is induced 
by a map of the trivial H^^^ torsor defined over Ui Xc Uj a connection can 
defined as a family {ci)i^i of elements of the Lie algebra TC n+i- 

A public encryption is defined by a function L : Tin ^ i?„ such that 

L{ci,exp{cj)) = u^j 
The private key of the user Ui is Cj, its public key is exp{ci). 
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